Robbing the keeper of keys
A decade before the Solar Winds hack raised the spectre of foreign governments gaining unfettered access to national secrets through supply chain attacks, there was another incident...
I’ve been focused these past months on writing Part Three of my spy fiction series Let Bhutto Eat Grass, and that has taken up most of my time. The book will remain work-in-progress for the next few months, so posts on Espionage& will be few and far between for now. —Shaunak
Lockheed Martin and L-3 Communications
A major attack was launched in 2011 against the computer networks of Lockheed Martin and L-3 Communications, a company that supplied command and control, communications, intelligence, surveillance and reconnaissance (C3ISR) systems and aerospace products to the US Department of Defence. The hackers, suspected to be members of PLA Unit 61398 or APT 1, gained access to Lockheed’s networks through the VPN used by remote workers for access.
Although quick countermeasures by Lockheed’s information security team resulted in minimal damage, the breach caused a flutter because in addition to usernames and passwords, access to the VPN was controlled by two-factor authentication, the second factor being a six digit pseudorandom code that changed every 60 seconds and was unique to each employee.
Two-factor authentication
Most computer systems accessible over public networks are secured by two-factor authentication. While the most common implementation of this is a website like banks or Amazon sending a text message on one’s phone with the OTP, as far as corporate systems are concerned the second factor for authentication is typically provided by a token.
A popular implementation is RSA’s SecurID, provided by a hardware token like the one in the photograph below. The six digit code gets updated every 60 seconds, and is used in addition to the user’s username and password to authenticate identity.
The token uses a cryptographic function (likely to be a variant of AES-128) to generate the code based on a random number known as seed and a clock built into the token. The seed is unique to each token, and is hardcoded into the token’s circuit. The same seed is loaded into the organisation’s RSA SecurID server, so that the server can authenticate the token value entered by the user.
Seeds are mapped to individual tokens through each token’s serial number. So the RSA SecurID server in each organisation knows which token contains what seed, and can therefore perform the same mathematical operations to generate the code (for comparison with what the user has entered). Needless to say, seeds and serial numbers are very well protected by RSA.
The exact sequence of numbers that a token generates is determined by a secret RSA-developed algorithm, and a seed value used to initialize the token. Each token has a different seed, and it's this seed that is linked to each user account. If the algorithm and seed are disclosed, the token itself becomes worthless; the numbers can be calculated in just the same way that the authentication server calculates them.
—Ars Technica
Lockheed’s networks (and those of L-3) were secured using RSA’s SecureID tokens. So the hackers needed to know one or more employees’ username and password, and they needed access to tokens used by those employees. But as anyone who has worked with corporate networks will tell you, the loss of a token is taken seriously and needs to be reported at the earliest. The moment such a report is made, access using the lost token is blocked at the server level.
Robbing the keeper of keys
Turns out, a few months earlier, RSA itself had been the victim of a security breach. Hackers (believed to be from China) had sent an RSA employee in Australia an email with an attachment. The employee opened that attachment, allowing the sender to exploit a vulnerability in Adobe Flash to gain access to the RSA employee’s system.
The intruders then harvested credentials stored on that system. These included credentials for other systems, allowing them access to other systems on RSA’s network. After gaining access to each new system, they would harvest credentials before moving on.
Hopping from system to system, they managed to gain access to the server — called the seed warehouse — where RSA maintained seed values for all tokens manufactured by it.
Every 15 minutes, that server would pull off a certain number of seeds so that they could be encrypted, written to a CD, and given to SecurID customers. That link was necessary; it allowed RSA’s business side to help customers set up their own server that could then check users’ six-digit code when it was typed into a login prompt. Even after the CD was shipped to a client, those seeds remained on the seed warehouse server as a backup if the customer’s SecurID server or its setup CD were somehow corrupted.
—Wired
They then spent nine hours copying and transferring this data out of the RSA network to a compromised third-party server. From there it disappeared. Presumably, it was downloaded to Unit 61398’s 12-storey office in Shanghai.
The RSA attacker then copied targeted data and moved it to servers inside the company where it was aggregated, compressed, and encrypted and then sent to a server at a hosting provider that had been compromised, according to Rivner.
—Cnet
Along with seed values, the attackers also reportedly stole the algorithm that mapped seed values to the unique serial number of each token. With that information and some clever social engineering, Unit 61398 was able to gain access to systems of RSA clients such as Lockheed Martin by spoofing Lockheed’s RSA SecureID server into believing they were an authorised user.
But to make use of the data stolen from RSA, security experts said, the hackers would also have needed the passwords of one or more users on Lockheed’s network. RSA has said that in its own breach, the hackers accomplished this by sending “phishing” e-mails to small groups of employees, including one worker who opened an attached spreadsheet that contained a previously unknown bug.
This let the hacker monitor the worker’s passwords. Security specialists suspect that something similar happened in the Lockheed attack, with the hackers using the data stolen from RSA to predict the security codes that the token would generate.
—New York Times
The extent of the breach at Lockheed, L-3, and others was never revealed. Lockheed claimed that it was able to identify and neutralise the attacker before they could get access to anything valuable.
The poser was using valid credentials of one of Lockheed's business partners, including the user's SecurID token. Adegbite says it soon became obvious that this user wasn't performing his or her normal operations. "They tripped a lot of alarms," he says. "They were trying to pull data in stages," and the attacker was going after data unrelated to the user's work he or she was impersonating, he says.
Adegbite says the bad guys came up empty-handed in this post-RSA SecurID attack. "No information was lost. If not for this framework [Kill Chain], we would have had issues," Adegbite says.
—Dark Reading
The RSA hack and the intrusion at Lockheed Martin, L-3, and reportedly at Northrop-Grumman was the first major Supply Chain attack, preceding the Solar Winds debacle by nearly a decade.
The events of the attack have been covered from RSA’s perspective in a very readable longform piece by Andy Greenberg for Wired.
If you’ve enjoyed reading this story, please share it with your friends, and consider subscribing to Espionage& for free using the button below to receive new stories in your inbox.
You might also enjoy reading my spy novels: Let Bhutto Eat Grass & Let Bhutto Eat Grass: Part 2 deal with nuclear weapons espionage in 1970s India, Pakistan, and Europe.